- NaFl means sarcastically: "It is totally Not AFL"
- NOTE: when I say AFL, I mean AFL v.0.1 alpha ;)
What is it?
It is a prototype of a code coverage fuzzer. I wanted to have something like AFL to use in Windows. Unfortunately everything looked very *NIX centric (AFAIK) so I decided to implement the core principles from the ground up (and learned something on the way)
It leverages dynamic binary instrumentation (DBI) to measure code coverage in blackbox Windows binaries.
- "Fun" fact: adding support for Intel PIN to AFL was actually my original research project but mothran beat me to it, see his (her?) fantastic work here
- NaFl can be thought as this with some Python core implementing a simple fuzzing logic
Why does the code suck so much?
- Don't let physicists do computer science. Or anything else for that matter :)
NaFl is written in Python (Core) and C/C++ (the DBI core). Most of the installation is straightforward:
Clone the project
There are two major directories:
- NaFlCore: nothing to do here at installation time
- PinTool: contains a single file "MyPinTool.cpp"
- Compiling your own PinTool is kind of a pain so most of the people I know use this little trick:
- cd to Pin_directory\source\tools\MyPinTool
- Overwrite the MyPinTool.cpp file with yours
- Open the project in Visual Studio (I used VS Community 2013, very recommended to use this one)
- Build the project
- NOTE: if you get errors complaining about SafeSEH just deactivate it in the linker options.
- Right click -> Properties -> Configuration Properties -> Linker -> All Options
- Search for "Image Has Safe Exception Handlers" and set it to "NO (/SAFESEH: NO)"
- Move the resulting DLL to a directory of your choice (you can rename it as well)
That should do it.
These Python modules are part of the client's core:
- Winappdbg (
pip install winappdbg)
- This is awesome sauce, check more here
- SQLAlchemy (
pip install sqlalchemy)
The following Python modules are needed for the server:
- Tornado (
pip install tornado)
- Twisted (
pip install twisted)
Once currently installed, running is pretty straightforward.
Run the server for collecting information and crash files
Edit the config file
- Location of PIN and the corresponding PinTool
- Location of the
victimbinary to analyze
Run the core
At this moment NaFl has been tested in the following configurations:
- Windows 7 x64
Regularly evaluate the quality of mutations in the queue
- Remove ones not yielding anything interesting in a long time?
- Trim mutations?
Static analysis of the victim binary itself
- Cannibalize strings
- Check proximity to str(n)cmp and alike…
- Maybe implement in JARVIS?
Pre-analysis of the samples
- Find high entropy regions (uninteresting)
- Find ASCII regions
- Compare samples to find fixed tokens (PNG, etc.)
This was done during my work time and therefore paid by my current employer, Siemens AG
Yes we do more than washing machines! ;)
Thanks for allowing this public release.